CN109923547A - Program behavior monitoring equipment, distributed objects generate management equipment, storage medium and program behavior monitoring system - Google Patents

Program behavior monitoring equipment, distributed objects generate management equipment, storage medium and program behavior monitoring system Download PDF

Info

Publication number
CN109923547A
CN109923547A CN201780067370.9A CN201780067370A CN109923547A CN 109923547 A CN109923547 A CN 109923547A CN 201780067370 A CN201780067370 A CN 201780067370A CN 109923547 A CN109923547 A CN 109923547A
Authority
CN
China
Prior art keywords
distributed objects
supervision object
request
server
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201780067370.9A
Other languages
Chinese (zh)
Other versions
CN109923547B (en
Inventor
山田智昭
高萩澄子
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Soliton Systems KK
Original Assignee
Soliton Systems KK
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Soliton Systems KK filed Critical Soliton Systems KK
Publication of CN109923547A publication Critical patent/CN109923547A/en
Application granted granted Critical
Publication of CN109923547B publication Critical patent/CN109923547B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

The identification information that the executing subject as program while the process as monitored object are logged on supervision object process inventory is included in the 1st form of the invention, when from enquiry desk have arbitrarily whether be the inquiry of supervision object about process when, above-mentioned supervision object process inventory is inquired with the identification information of the process, whether is then that the information of supervision object returns to the supervision object process manager module in above-mentioned enquiry desk by the process;When the distributed objects for generating then identification information that distributed objects server possesses the distributed objects server, which generate management equipment, receives the use request of the distributed objects server from supervision object process, the notice receiving module that the specified notification of management equipment is generated from the distributed objects is received.

Description

Program behavior monitoring equipment, distributed objects generate management equipment, storage medium, with And program behavior monitoring system
Technical field
The present invention relates to program behavior monitoring equipment, distributed objects generate management equipment, storage medium and program The invention of behavior monitoring system.
Background technique
In general, in order to improve software development efficiency, can it is different according to the function of the process as program operation main body and into The corresponding segmentation of row.It generates and starts another independent process and carry out one of the method that integrated treatment is process segmentation again.
The 1st kind of method that process handles independent process be, which generates subprocess, then entrust this height into The technology of Cheng Jinhang processing.
At this point, about the communication between father and son's process, in addition to the network communication technologies such as TCP/IP, the life of operating system offer Other than the common interprocess communication such as name channel, it can also make to carry out between the two by the storage resource between father and son's process is shared Closed data exchange.
On the other hand, when the process content for the process being segmented is versatile, process handles independent process 2nd kind of method, is called distributed object technology.Using distributed object technology, generates and start as the independent process, according to Public calling convention carries out the distributed objects server of the process of general procedure.
For example, the 1st process is wanted when independent process, which carries out, has the integrated treatment of versatility, can be mentioned to operating system For distributed objects generate management module notice can carry out the integrated treatment distributed objects server use request.
When appointed distributed objects server is not when running at specified time point, distributed objects generate pipe Reason module generates and starts the distributed objects server, and the response of the method comprising accessing the distributed objects server is returned Return the 1st process.
On the other hand, the 2nd process be when independent process carries out the above-mentioned integrated treatment with versatility, also can to point Cloth object generates management module and the use of the distributed objects server is notified to request.
Because this appointed distributed objects server has been currently running, distributed objects generate management module only It is that will return to the 2nd process comprising accessing the response of the method for the distributed objects server.
In the 1st kind of above-mentioned method, enclosure space of the processing of parent process and subprocess in a computer into Row.Opposite, in the 2nd kind of method, also contain the processing and distributed objects service of the 2nd process using request of initiating The case where processing of device etc. carries out in different computers.
Therefore, in the 2nd kind of method, the communication between management module is generated using request initiation process and distributed objects Method, and using the communication means between request initiation process and distributed objects server, be defined in front of being based in principle State the inter-process communication methods of network communication technology.
Software systems can be partitioned into and provide the independence with versatility integrated treatment by above-mentioned distributed object technology Then program generates and starts using the stand-alone program as distributed objects server.Accordingly, program can be greatly improved again Usability, even if in addition amendment is a part of rebuilds system software without whole again.
Moreover, because multiple computers, which start simultaneously and generate multiple distributed objects servers, shares work, computer Resource can be utilized more efficiently.
In addition, when there is the use request from process, but when distributed objects server is not run, distributed objects are raw It will be generated at management module and start the distributed objects server.In this way, by from use request using for initiation process ask It asks as trigger, distributed objects server is generated and starts.But it is taken using request initiation process and distributed objects Relationship between business device, is essentially when the latter has begun operation, the former recycles running the latter.Cause This, the relationship between previously mentioned parent process and subprocess is not identical.
On the other hand, it executes fly-by-night program in the protection zone specified in system in order to prevent and causes the journey Ordered pair system carries out malicious act, there is a kind of release mechanism for being sandbox.
The program being performed in sandbox, be the process as its executing subject cannot to other processes and data etc. into It generates and starts under the monitored state of row operation.Therefore, even if out of control or activation virus occurs for the process, will not involve To outside sandbox.Hereinafter, the process for generating and starting in sandbox is known as " supervision object process " by we.
Patent document 1 discloses a kind of supervision object process and the relevant technologies of its subprocess.File system and registration Table etc. is performed in the Virtual Space as sandbox after being virtualized.Execute program executing subject be supervision object into Journey.In patent document 1, it is and parent process by (the become supervision object) subprocess for determining to be generated and started by supervision object process Using the same Virtual Space, or generate the dedicated Virtual Space of the subprocess.That is, the skill based on patent document 1 Art can also make subprocess become supervision object when parent process is supervision object.
In other words, when supervision object process directly generates in sandbox and starts subprocess, the set membership of process is bright True.Therefore, subprocess can be allowed to become supervision object easily.
Existing technical literature
Patent document
Patent document 1: Japanese Unexamined Patent Publication 2010-205186 bulletin
Summary of the invention
Problem to be solved by the invention
The present invention is for solving problems of the prior art.
The solution to the problem
1st form of the invention, i.e. program behavior monitoring equipment include: supervision object process manager module, in monitoring pair Identification information while logging in executing subject as program as process inventory as the process of monitored object, when from inquiry Whether place has arbitrarily when being the inquiry of supervision object about process, inquires above-mentioned supervision object process with the identification information of the process Then whether the process is that the information of supervision object returns to above-mentioned inquiry source by inventory;Notify receiving module, it is distributed when generating Then distributed objects generation management equipment that object server possesses distributed objects server identification information, which receives, to be come from When the use request of the distributed objects server of supervision object process, receives and set from distributed objects generation management Standby specified notification.
It includes: to be received and using request receiving module that 2nd form of the invention, i.e. distributed objects, which generate management equipment, From the use request of the distributed objects server of the process as program executing subject;Distributed objects server generates mould Block, it is above-mentioned using request receiving module the received above-mentioned identification information of request initiation process using request do not monitoring When login on object process inventory, generating has the above-mentioned distributed objects server using request;Notify sending module, The identification information of the above-mentioned above-mentioned request initiation process using request received using request receiving module is in above-mentioned prison When depending on logging on object process inventory, specified notification is sent to process behavior monitoring device.
3rd form of the invention, program behavior monitoring system include above-mentioned program behavior monitoring equipment and above-mentioned Distributed objects generate management equipment.
Invention effect
Any one form according to the present invention, the more than program behavior of supervision object process, based on supervision object into The program behavior of distributed objects server that the use of journey requests and generates and start can also with exhaustive monitor.
Detailed description of the invention
Fig. 1 shows the composition block diagram that of the invention the 1st executes the program behavior monitoring system of morphologic correlation.
Fig. 2 shows program behavior monitoring systems from the behavior sequential flowchart for starting to end.
Fig. 3 shows program behavior monitoring system from the behavior sequential flowchart for starting to end.
Fig. 4 shows the flow chart of printing behavior monitoring routine.
Fig. 5 shows the flow chart of clipbook behavior monitoring routine.
Fig. 6 shows the flow chart of Registry Protection routine (pid management).
Fig. 7 shows the flow chart of Registry Protection routine (Registry Protection).
Fig. 8 shows the flow chart of file protection routine (corresponding to open file behavior).
Fig. 9 shows the flow chart of file protection routine (respective file list of file names is shown).
Figure 10 shows the flow chart of process behavior monitoring routine.
Figure 11 shows the frame diagram of program behavior monitoring system major part.
Figure 12 shows the flow chart that distributed objects server generates supervisory routine.
Figure 13 shows the flow chart that distributed objects server generates supervisory routine.
Figure 14 shows the flow chart that the 2nd distributed objects server generates supervisory routine.
Figure 15 shows the flow chart that the 3rd distributed objects server generates supervisory routine.
Specific embodiment
About embodiments of the present invention, compares attached drawing and be described in detail.
[the 1st embodiment]
Fig. 1 is the composition block diagram for showing the relevant program behavior monitoring system 1 of first embodiment of the present invention.
Program behavior monitoring system 1 is made of the respectively arranged functional block of following memory space: system realm, i.e. system Memory space when process necessary to (operating system etc.) is run executes;Common user region, when all user's executive process Available shared memory space;And personal user region (1 region of user, 2 region of user ...), i.e., personal user holds Available memory space when traveling journey.
Program behavior monitoring system 1, monitoring is present in multiple processes in personal user region, as generating and start Specify the executing subject of the program of behavior of the user in sandbox, and become supervision object process (supervision object user into Journey 32) and its descendants's process various actions.Further, program behavior monitoring system 1, monitoring are present in common user region Multiple distributed objects servers in, use based on supervision object consumer process 32 etc. request and the distribution that generates is right As the various actions of server (supervision object distributed objects server 21).Hereinafter, we are including supervision object use Family process 32 and the process of supervision object distributed objects server 21 are known as " supervision object process ".
Program behavior monitoring system 1, as the functional block run in system realm, including registration table redirector 11, file system redirector 12 and distributed objects generate management module 13.
Program behavior monitoring system 1, as the functional block run in common user region, including whole control module 20.The inside of whole control module 20 has supervision object distributed objects server generation module 20G.
Further, program behavior monitoring system 1, as the functional block in personal user's area operation, comprising: supervision object Consumer process generation module 31;The printing behavior monitoring module 32P and clipbook generated inside supervision object consumer process 32 Behavior monitoring module 32C.
Whole control module 20, the monitoring program behavior for being responsible for whole control about supervision object process behavior monitor clothes Business.In addition, whole control module 20 passes through the supervision object distributed objects server generation module 20G held inside it, it can To generate and start the distributed objects server (supervision object distributed objects server 21) as supervision object.
Registration table redirector 11 carries out carrying out registry access behavior by supervision object process in system realm Monitoring, control and protection.Registration table described herein refers to, such as operating system is the Windows (registrar of Microsoft Mark) when, in operating system institute when the relevant essential information of operating system, the setting of various programs, extension information etc. log in The database used.
File system redirector 12 carries out the prison of file access behavior in system realm by supervision object process Depending on, control and protection.
The personal user area that distributes to the user of the supervision object consumer process generation module 31 in personal user region It is generated in domain and starts supervision object consumer process 32.
Printing behavior monitoring module 32P, the inside for any process for being generated and starting in personal user region, to Family is monitored using the behavior that the process executes printing.
Clipbook behavior monitoring module 32C, the inside for any process for generating and starting in personal user region are right User executes the clipbook operation that the process includes and monitors, controls and protect.Clipbook described herein refer in order to The exchange that data are realized between different programs, temporarily saves the function of the data of user institute " duplication ", " stickup ".
Distributed objects generation management module 13, one of the standard feature block as operating system, in the present embodiment, Further has the function of the addition for monitoring whole control module 20 to supervision object distributed objects server 21.
Distributed objects generate standard feature of the management module 13 as operating system, come from personal user region when receiving When the generation request of the distributed objects server of process, in common user's Area generation distributed objects server, then obtain Take the pid of the distributed objects server.
Distributed objects generate management module 13 as above-mentioned addition function and receive the prison from personal user region Depending on object user's process 32 distributed objects server generation request when, request common user region whole control module 20 generate distributed objects server (supervision object distributed objects server 21).Supervision object distributed objects server 21 After being generated, distributed objects generate management module 13 and obtain the supervision object distributed objects service from whole control module 20 The pid of device 21.
In addition, regardless of whether being supervision object, distributed objects generate management module 13 and obtain institute in common user region It is distributed the pid of formula object server, is subsequently used for managing the distributed objects server.Further, distributed objects generate The distributed objects server that management module 13 manages oneself, it may have check distributed objects server whether be by The function of supervision object state.
On the other hand, the supervision object process for being generated and starting as supervision object, as shown in the dashed rectangle of Fig. 1, It is divided into supervision object consumer process 32, descendants's process of supervision object consumer process 32 and is generated simultaneously in common user region The supervision object distributed objects server 21 of starting.In addition, being discussed in greater detail hereinafter, the pid of all supervision object processes It can be logged in registration table redirector.
Fig. 2 and Fig. 3 is to show program behavior monitoring system 1 from the behavior sequential flowchart for starting to end.
In step S1, along with the starting of system, operating system is also started, one of standard feature block of operating system Distributed objects generate management module 13 also started.
In step S2, registration table redirector 11 starts.
Hereafter, operating system receives the request of the registry access from any process, the generation of new subprocess starting If request or end notification, always registration table is notified to redirect together the pid of the information received He any process Program 11.
Pid (process identifier) herein refers to, each process of unique identification is used in a computer Identification information.When operating system receives the generation starting request of new subprocess from any process, by the pid of any process In addition the pid for the subprocess for being generated and starting notifies registration table redirector 11 together.
Accordingly, if the pid of some process is logged as supervision object, when the process generates and starts subprocess When, registration table redirector 11 is received from operating system other than the pid of the process, also receives the pid of the subprocess.It is tied Fruit, the pid for all descendants's processes that registration table redirector 11 will be generated and be started as starting point (root process) using the process As supervision object automated log on.As shown in following Fig. 6, Registry Protection routine (pid management) is performed details.
In step S3, file system redirector 12 starts.
Then, the generation starting that operating system receives file access request, new subprocess from any process is asked Ask or end notification if, always the pid of the information received and any process together circular document system is redirected Program 12.
Accordingly, the pid of some process as supervision object be logged if, file system redirector 12 will with this into Journey is that starting point is generated and the pid of all descendants's processes that starts is as supervision object automated log on.
Then, it is entered step after all processes of system realm all start as a ring of os starting S4。
It is whole to control in order to provide the program behavior monitoring service as the common service for all users in step S4 Molding block 20 starts in public domain.
Whole control module 20 on startup, using the pid of oneself as become supervision object all processes root process, It is logged in registration table redirector.Accordingly, all descendants for being generated and starting using whole control module 20 as starting point The pid of process is used as supervision object by automated log on by the registration table redirector 11 having been started up.
In addition, whole control module 20 is when there is the generation of any process in personal user region, which is to operation in advance System issues instruction, and printing behavior monitoring module 32P and clipbook behavior monitoring module 32C is combined inside it.
For example, when operating system is Windows (registered trademark) of Microsoft, whole control module 20 in advance to Operating system issues instruction, so that when process initiation in the hook program that process installation is specified.
In step S5, whether the user that whole 20 decision request of control module starts to execute program behavior monitoring service is detected It measures registered.If detecting and entering step S6 when the user is registered, S13 is entered step if not detecting.
In step S6, whole control module 20 is using the computer of logining the user as trigger point user generated Personal user region, generate and start the supervision object consumer process generation module 31 of the subprocess as oneself.
Herein, whole control module 20 as become supervision object all process starting points root process initiation when (step S4), the pid of oneself is logged as supervision object in registration table redirector.Therefore, whole control module 20 son into Journey, i.e. supervision object consumer process generation module 31, the supervision object consumer process 32 for generating and starting using it as starting point, and The pid of its all descendants's process is also used as supervision object to be logged automatically in registration table redirector 11.
In addition, prompting the user with program behavior monitoring service while supervision object consumer process generation module 31 starts User interface (program behavior monitoring service UI).Program behavior monitoring service UI shows the file of aftermentioned off-limit file folder Folder tree constitutes, the duplication file (there is no show blank when duplication file) in the off-limit file that can choose folder, link can be with Execute the contents such as the icon of program of monitoring activity.If user's selection has linked target duplication file or program, selected Icon associated by program be performed in sandbox, in order to monitor the supervision object consumer process 32 as its executing subject Behavior enters step S7.
In step S7, whole control module 20 executes the monitoring of program behavior.It specifically, is to execute aftermentioned Figure 10 institute The program behavior of expression monitors routine.
In step S8, whether the user that whole 20 decision request of control module executes program behavior monitoring service is detected To having dropped out.If detecting and entering step S9 when above-mentioned user has dropped out, if not detecting return step S7.Execute step Until the processing of S7 is exited until detecting.
In step S9, whole control module 20 executes the processing for the program behavior monitoring service for terminating to provide to the user. Specifically, whole control module 20 stops at personal user's Area generation of the user and all supervision objects started are used Family process 32 and its descendants's process.
In step S10, all duplication files for generating and keeping in for the folder of off-limit file specified by the user are deleted It removes.In addition, as described later, by accommodating the duplication file of original file and the text of each duplication file in off-limit file folder The folder tree composition that part folder is constituted strictly reproduces.
In step S11, all registration tablies generated in for protection zone specified by the user are deleted instead of list item.
In step S12, in the supervision object consumer process generation module 31 that the individual region of the user generates and starts Stop.
In addition, to use request to there is generation simultaneously in public domain as trigger point from supervision object consumer process 32 When the supervision object distributed objects server 21 of starting, in order to personal user assigned by the user other than the user The corresponding use request from supervision object consumer process 32 etc. in region, at the time point the supervision object distributed objects service Device 21 will not stop.
In step S13, whole control module 20 determines whether to detect system closedown.It is entered step when if detecting shutdown S14 returns to step S5 if not detecting.
In step S14, when there are common user's Area generation and the supervision object distributed objects server 21 of starting, Whole control module 20 stops all supervision object distributed objects servers 21.
In step S15, whole control module 20 stops.Also, file system redirector 12 stops in step s 16 Only, registration table redirector 11 stops in step S17.
In step S18, all functions and operating system of system realm stop.
Next, just about the various actions for supervision object consumer process 32, program behavior monitoring system 1 it is specific Behavior processing is illustrated.
In the present embodiment, the behavior as the process of supervision object includes printing behavior, clipbook behavior, registration table Access behavior and file access behavior.Printing behavior and clipbook behavior in supervision object consumer process 32 respectively by generating simultaneously Its internal printing behavior monitoring module 32P formed and clipbook behavior monitoring module 32C monitoring when starting.
Registry access behavior and file access behavior the registration table redirector 11 by being run in system realm respectively It is monitored with file system redirector 12.
Fig. 4 is to show the stream of the printing behavior monitoring routine of the printing behavior monitoring module 32P formed inside process Cheng Tu.If in personal user region, arbitrary process is activated, this printing behavior monitoring routine is performed inside it.
In step S21, the process printing behavior monitoring module 32P of composition (inside) on startup, inquire oneself whether be Supervision object is specifically that whether oneself pid is supervision object to the inquiry of whole control module 20.
In step S22, whether printing behavior monitoring module 32P determines whether to detect has in the process of internal composition oneself Printing behavior.S23 is entered step when printing behavior monitoring module 32P and detecting the printing behavior, is then existed when not detecting Step S22 is waited.
In step S23, behavior monitoring module S32P is printed, the inquiry based on step S21 is as a result, determine whether oneself is prison Depending on object.S24 is entered step when oneself is supervision object, the then return step S22 when not being supervision object.
In step S24, printing behavior monitoring module 32P refuses printing behavior, return step S22.
Such printing behavior monitors routine, for example, operating system be the Windows (registered trademark) of Microsoft when It waits, by being realized by the hook program of injection OpenPrinter API.
Fig. 5 is to show the clipbook behavior monitoring routine of the clipbook behavior monitoring module 32C formed inside process Flow chart.When arbitrary process is activated in personal user region, this clipbook behavior monitoring routine is held inside it Row.
In step S31, process (inside composition clipbook behavior monitoring module 32C) on startup, to whole control Whether the inquiry of molding block 20 oneself is supervision object, and specifically, whether the pid for inquiring oneself is supervision object.
In step s 32, clipbook behavior monitoring module 32C determines whether to detect to the process in internal composition oneself Clipbook data entry behavior.S33 is entered step when detection is when data entry behavior, is entered step when not detecting S35。
In step S33, query result of the clipbook behavior monitoring module 32C based on step S31, determine oneself whether be Supervision object.S34 is entered step when oneself is supervision object, the then return step S32 when not being supervision object.
In step S34, clipbook behavior monitoring module 32C is in order to indicate it oneself is data entry process, defined Common storage logs in the pid of oneself.
The processing of oneself data entry behavior is detected in clipbook behavior monitoring routine similar to such, such as is grasped When being Windows (registered trademark) of Microsoft as system, by by the hook of injection SetClipboardData API Program is realized.
On the other hand, in step s 35, clipbook behavior monitoring module 32C determines whether to detect from internal group At the data acquisition behavior of the clipbook of the process of oneself.S36 is entered step when detecting data acquisition behavior, is not detected When return step S32.
In step S36, query result of the clipbook behavior monitoring module 32C based on step S31 determines whether oneself is prison Depending on object.S38 is entered step when oneself is supervision object, and S37 is entered step when not being supervision object.
In step S37, clipbook behavior monitoring module 32C determine above-mentioned common storage whether have data entry into The pid of journey is logged in.S39 is entered step when there is pid login, no pid enters step S38 when logging in.
In step S38, the data that clipbook behavior monitoring module 32C allows will acquire paste the row of process itself For.Then, return step S32.
When determining that no pid is logged in step S37, the data entry process for having logged in data does not become supervision object. That is, the data acquisition behavior of step S35 is equivalent to the progress of the clipbook between the common process by non-supervision object Data exchange.So the data for allowing will acquire in step S38 paste the behavior of process itself.
In step S39, the data that clipbook behavior monitoring module 32C refusal will acquire paste the behavior of process itself. Then, return step S32.
Determine that the data entry process for having logged in data becomes supervision object there are when pid login in step S37.? That is the data acquisition behavior of step S25 is equivalent to the data from the process as supervision object to non-supervision object process Movement.In other words, above-mentioned data acquisition behavior, confidential data handled by the program being performed in sandbox is to outside sandbox The behavior for the program transfer that portion is performed.Therefore, in step S39, refuse the stickup behavior of data got itself.
Processing when detecting the data acquisition behavior of itself in of this sort clipbook behavior monitoring routine, such as When operating system is Windows (registered trademark) of Microsoft, by by the hook of injection GetClipboardData API Subprogram is realized.
As described above, registration table redirector 11 is always obtained together when new process is generated and starts and is come from The creation of operating system notifies and the pid of the process and its parent process, and applies flexibly the information got.
Specifically, in the present embodiment, registration table redirector 11 is more than itself Registry Protection person's Role, it may have what is illustrated in the step S2 of Fig. 2 applies flexibly the notice from operating system, manages as all of supervision object The role of the pid of process.
That is, the pid of all supervision object processes is managed by registration table redirector 11.Specifically, it infuses Volume table redirector 11 receives the pid from whole control module 20 and logs in and lead to as illustrated in the step S4 of Fig. 2 Know, and the supervision object process inventory possessed inside it containing the pid for logging in notice is logged in.In addition, registration table weight If oriented program 11 receives the login inquiry notice of the pid from whole control module 20 etc., there will be login inquiry to notify Pid inquired to the supervision object process inventory, and response is made to the inquiry from whole control module 20 etc..
Registration table redirector 11 obtains the newly-built and registry access notice etc. about process from operating system, from Whole control modules 20 etc. obtain the login notice of pid and log in inquiry notice, execute Registry Protection routine as follows.
Fig. 6 and Fig. 7 is to show the flow chart of the Registry Protection routine executed by registration table redirector 11.
In step S42, the pid obtained from whole control module 20 is logged in supervision object by registration table redirector 11 Process inventory.Then, return step S41.
In step S43, it is logical that registration table redirector 11 determines whether to get pid inquiry from whole control module 20 etc. Know.S44 is entered step when getting pid inquiry notice, does not get, enters step S45.
In step S44, whether the pid that the inquiry of registration table redirector 11 is got has is stepped in supervision object process inventory Record, and its result is made into answer to whole control module 20 etc..Then, return step S41.
In step S45, registration table redirector 11 determines whether to obtain the newly-built starting of the process from operating system Notice.S46 is entered step when the newly-built starting notice of the process that obtains, does not obtain and is entered step when process is newly-built to start notice S48.In addition, the newly-built starting notice of process is not only comprising the pid of process for being created and being started, also the father comprising the process into The pid of journey.
In step S46, when registration table redirector 11 is notified from the newly-built starting that operating system obtains process, the process Parent process pid whether have supervision object process inventory log in, that is to say, that determine parent process whether be supervision object. S47 is entered step when parent process is supervision object, return step S41 when not being supervision object.
In step S47, registration table redirector 11 logs in process that is newly-built and starting in supervision object process inventory pid.Then, return step S41.In this way, it creates and when the parent process of process started is supervision object, because should Process is also required to as supervision object, and the pid of the process is logged in supervision object process inventory.
As a result, due to whole control module 20 its starting when (the step S4 of Fig. 2) by the pid of oneself in registration table weight Oriented program 11 logs in, and all processes (descendants's process) generated using whole control module 20 as starting point are registered in monitoring pair As process inventory.
Specifically meet following (1)~(4) in all processes that supervision object process inventory is logged:
(1) whole control module 20
(2) the supervision object consumer process generation module 31 that the subprocess of control module 20 generates and starts as a whole
(3) as supervision object consumer process generation module 31 when user specifies the execution in the sandbox of established procedure The supervision object consumer process 32 and its descendants's process that subprocess generates and starts
(4) it is generated and is started by the supervision object distributed objects server generation module 20G in whole control module 20 The supervision object distributed objects server 21 and its descendants's process as its descendants's process
In step S48, registration table redirector 11 determines whether to obtain the process end notification from operating system. S49 is entered step when obtaining process end notification, is not obtained, and S50 is entered step.
In step S49, registration table redirector 11 also obtains the process while obtaining process end notification Pid is deleted the pid of the process terminated from supervision object process inventory using acquired pid.Then, return step S41。
After step S50, the processing of Registry Protection is executed.
In step S50, it is logical that registration table redirector 11 determines whether to obtain the registry access from operating system Know.Registry access notice refers to that operating system is always given notice when arbitrary process wants access to registration table.In addition, note Volume table access notice contains the pid and access content of the process for wanting access to registration table.Obtain registry access notice When enter step S51, return step S41 when not obtaining.
In step S51, registration table redirector 11 utilizes the process obtained while obtaining registry access notice Pid, inquires the supervision object process inventory itself possessed, and judgement wants access to whether the process of registration table is supervision object. S52 is entered step when process is supervision object, process is not supervision object then return step S41.
Accordingly, when supervision object process 32 wants access to registration table, in order to protect registration table, registration table redirects journey Sequence 11 can execute the later processing of step S52.
In step S52, registration table redirector 11 determines whether to detect registration based on the notice from operating system The unlatching behavior of list item.S53 is entered step when detecting the unlatching behavior of registry entry, does not detect, enters step S54.
In step S53, registration table redirector 11 generates to become to substitute in defined protection zone specifies original list item Registration table replace list item, and open the registration table instead of list item.Then, return step S41.
In step S54, registration table redirector 11 determines whether to detect reading based on the notice from operating system The behavior of registry entry numerical value.Detect and enter step S55 when reading behavior to the numerical value of registry entry, do not detect then into Enter step S56.
In step S55, the value of appointed original list item is copied to (corresponding above-mentioned note by registration table redirector 11 It is generated that volume list item opens behavior) substitution registry entry, then the value is returned.Then, return step S41.
In step S56, registration table redirector 11 determines whether to detect write-in based on the notice from operating system The behavior of registry entry numerical value.Enter step S57 when detecting the write-in behavior to registry entry numerical value, when not detecting into Enter step S58.
In step S57, by appointed value write-in, (corresponding above-mentioned registry entry opens row to registration table redirector 11 It is generated) substitution registry entry.Then, return step S41.
In step S58, registration table redirector 11 determines whether to detect registration based on the notice from operating system The closing behavior of list item.S59 is entered step when detecting the closing behavior of registry entry, does not detect then return step S41.
In step S59, registration table redirector 11 closes (it is generated that corresponding above-mentioned registry entry opens behavior) Substitute registry entry.Then, return step S41.
In addition, all being deleted after detecting the exiting of user in defined protection zone substitution registry entry generated It removes.
Fig. 8 and Fig. 9 is to show the flow chart of the file protection routine executed by file system redirector 12.
When any process is wanted to open file or be required that display is included in the list of file names of any file, text Part system redirector 12 obtains the notice (pid comprising the process) for indicating these behaviors from operating system, executes File as follows protects routine.
Although in addition, file system redirector 12 omit detailed content, can also be with registration table redirector Equally the pid of supervision object process is managed.
In step S61, file system redirector 12 obtains the notice from operating system, determines whether to detect text Part opens behavior.S62 is entered step when detecting file opening behavior, is not detected, S69 is entered step.
In step S62, file system redirector 12 determines whether the process for wanting to open file is supervision object.This Place, the pid that file system redirector 12 is included using the notice from operating system, not in whole control module 20, But it is directly inquired in registration table redirector 11.
The reason of file system redirector 12 is directly inquired to registration table redirector 11 is as follows: due to registration table Whether redirector 11 and file system redirector 12 are all present in system realm, therefore be monitoring about some process Object, file system redirector 12 and its whole control module 20 by being present in different zones (common user region) It is inquired to registration table redirector 11, it is more efficient not as good as directly being inquired to registration table redirector 11.
As described above, file system redirector 12 can manage supervision object as registration table redirector 11 The pid of process.In this case, the supervision object process inventory that file system redirector 12 possesses itself is inquired ?.
In step S63, whether file system redirector 12 is wanted based on the notice from operating system, determinating processes Open the file in off-limit file folder.Want to enter step S65 when opening the file in off-limit file folder, it is desirable to open isolation text Part folder other than file when enter step S64.
In step S64, file system redirector 12 determines in the notice from operating system with the presence or absence of write-in mark Will.It is that can edit the mark of file destination content in file opening behavior that mark, which is written,.Enter step when in the presence of write-in mark Rapid S66 enters step S65 when mark is not written.
In step S65, file system redirector 12 allows the file opening behavior of process.Then return step S61.
That is, when supervision object process (affirmative of step S62 determines) is wanted to open the file in off-limit file folder (affirmative of step S63 determines), or for file (ordinary file that there is originally) (step other than off-limit file folder The negative of S63 determines) when content of edit does not only wish to directly read (negative of step S64 determines), allow file opening row For.
In step S66, file system redirector 12 generates the duplication text of specified original document in off-limit file presss from both sides Then part opens this duplication file in off-limit file folder.Accordingly, the duplication file can be carried out in off-limit file folder Editor.Then, return step S61.
In step S67, based on the notice from operating system, determine whether the process of non-supervision object is wanted to open isolation File in file.Want to enter step S68 when opening the file in off-limit file folder, it is desirable to open other than off-limit file folder File when enter step S65.
Process is wanted to open non-supervision object, i.e., when file other than off-limit file folder, is considered as common file opening row For.Therefore, allow file opening behavior (step S65).
In step S68, file system redirector 12 refuses file opening behavior.That is, non-supervision object When process is wanted to open the file in off-limit file folder, file opening behavior is rejected.Then return step S61.
In step S69, file system redirector 12 determines whether to detect packet based on the notice from operating system It is contained in the inventory display request of the filename in regulation file.S70 is entered step when detecting inventory display request, is not examined Measure then return step S61.
In step S70,12 decision request of file system redirector shows whether the process of lists of documents is monitoring pair As.Processing identical with step S62 is executed herein.Then, S71 is entered step when above-mentioned process is supervision object, is not prison Depending on entering step S76 when object.
In step S71, the acquisition of file system redirector 12 includes the text in the specified file of above-mentioned process Part list of file names (the 1st list of file names).
In step S72, file system redirector 12, which obtains, is included in list of file names (the 2nd that off-limit file presss from both sides List of file names).
In step S73, file system redirector 12 carries out the 1st list of file names and the 2nd list of file names It compares, determines whether that there are identical filenames.There are S74 is entered step when identical filename, there is no then enter step S75。
In step S74, file identical for filename, file system redirector 12 is with the 1st list of file names Based on, the preferential relevant information using the 2nd list of file names obtained from off-limit file folder rewrites the 1st list of file names.This Sample, file system redirector 12 merge the 1st list of file names and the 2nd list of file names.
In step S75, the list of file names after merging is returned to request initiation process by file system redirector 12.So Afterwards, return step S61.
Herein, inside off-limit file folder, by the duplication file of receiving original document and the file structure of each duplication file At file tree composition scrupulously reappeared.In addition, the comparison of list of file names is the root folder name except off-limit file folder The filename in the filename and off-limit file folder in specified folder is compared in part.
For example, the original document in specified folder be "My file $ notepad .txt of $$", it is corresponding every When from the duplication file in file being " ..$ off-limit file press from both sides my file $ notepad .txt of $ ", pressed from both sides except off-limit file Root folder name " ..$ off-limit file folder " part, compare filename.
Accordingly, when supervision object process specifies the file in any file for the purpose of content of edit, in fact, making It is the replacement file for being designated file, the duplication file in off-limit file folder corresponding with this document is designated.Then, it opens The duplication file is edited.
In addition, in the present embodiment, after supervision object process executes file opening behavior, by supervision object process institute into Capable Edition Contains behavior does not become supervision object until closing of a file.
Figure 10 is to show the flow chart of the monitoring routine of the process behavior as performed by whole control module 20.In process row In monitoring routine, to perform the inquiry to supervision object process (step S81~step S87) and supervision object distribution The generation of object server and starting (step S88~step S90)
In step S81, whole control module 20 receives the request for coming from other functional blocks (any process).For example, working as certain When a process is generated and starts, in order to confirm whether the process oneself is supervision object, ask to whole control module 20 It asks.In addition, as described later, distributed objects server generates management module 13 and receives from supervision object consumer process 32 Distributed objects server generation request if, to whole control module 20 request generate supervision object distributed objects take Business device 21.
In step S82, whole control module 20 determine the request received whether be supervision object inquiry.It is monitoring pair S83 is entered step when the inquiry of elephant, enters step S88 when not being the inquiry of supervision object.
In step S83, whole control module 20 obtains the pid for issuing the process of inquiry from the request received.
In step S84, whole control module 20 is inquired using the pid of acquisition to registration table redirector.
In step S85, whole control module 20 is received from registration table redirector 11 is for the process for issuing inquiry No is the answer of the inquiry of supervision object.The process for issuing inquiry enters step S86 when being supervision object, when not being supervision object Enter step S87.
In step S86, whole control module 20 returns to the affirmative that the process is supervision object for issuing the process inquired It answers.Then, return step S81.
In step S87, for whole control module 20 for issuing the process inquired, returning to the process not is the no of supervision object It is fixed to answer.Then, return step S81.
On the other hand, in step S88, whole control module 20 determine the request received in step S81 whether be The generation for generating the supervision object distributed objects server 21 of management module 13 from distributed objects starts request.It is monitoring The generation of object distribution formula object server 21 enters step S89 when starting request, is not then return step S81.
In step S89, the supervision object distributed objects server that whole control module 20 possesses therein is raw Execute following processing at module 20G: supervision object distributed objects server generation module 20G is generated and is started as oneself son The supervision object distributed objects server 21 of the sending request of process.
In step S90, whole control module 20 generates management mould to the distributed objects server as request promoter Block 13 returns to the supervision object distributed objects clothes for being generated and being started by supervision object distributed objects server generation module 20G The pid of business device 21.Then, step S81 is again returned to.
As a ring of common behavior, distributed objects generate management module 13 no matter distributed objects server whether be Supervision object is managed the pid of all distributed objects servers.Distributed objects server generates management module 13 Even when being generated by whole control module 20 and being started supervision object distributed objects server 21, it is also necessary to monitoring pair As the pid of distributed objects server 21 is managed.
Herein, whole control module 20 notifies the pid for the supervision object distributed objects server 21 for generating and starting Distributed objects generate management module 13 and are logged in.Accordingly, it is no matter distributed right to generate management module 13 for distributed objects As whether server is supervision object, the pid of all distributed objects servers can be always managed.
Here, the parent process of supervision object distributed objects server 21, i.e., whole control module 20 is used as supervision object It is logged in registration table redirector 11.Meanwhile process behavior shown in Fig. 10 monitors routine implementing result, it is whole to control mould The subprocess supervision object distributed objects server 21 of block 20 and all descendants's processes for generating and starting using it as starting point Also it is logged automatically as supervision object in registration table redirector 11 again.
Next, executing distributed objects to supervision object consumer process 32 generates the desired distribution of management module 13 Processing sequence when the use request of object server is illustrated.
Figure 11 is the block diagram of the major part of program behavior monitoring system 1.In Figure 11, executed with the sequence of (1) to (6) Processing.
(1) arbitrary supervision object consumer process 32 generates management module 13 to distributed objects and sends supervision object distribution The use of formula object server 21 is requested.
(2) when the use of request initiation process being supervision object, distributed objects generate management module 13 and execute whole control Notice (starting side comprising execute obj ect file and execution permission etc. of the molding block 20 for whole 20 defined of control module The notice of method), request generates and starts the supervision object distributed objects server 21 possessed using request.
(3) whole control module 20 receives the request that management module 13 is generated from distributed objects, uses its internal institute The supervision object distributed objects server generation module 20G possessed is generated and is started as supervision object distributed objects clothes The distributed objects server of business device 21 possessed using request.
(4) as the response for generating management module 13 to distributed objects server, whole control module 20, which returns, to be generated And the pid of the supervision object distributed objects server 21 started.
(5) distributed objects generate management module 13 to using request initiation process to return comprising to being generated and start The response of the access method of supervision object distributed objects server 21.
(6) supervision object consumer process 32 (using request initiation process) is based on generating management module 13 from distributed objects The access method of received supervision object distributed objects server 21, with the supervision object distributed objects server 21 It is communicated.
Next, the implementation distributed objects generation desired distribution of management module 13 of supervision object consumer process 32 is right When being requested as the use of server, it is illustrated about specific processing sequence.Specifically, distributed objects generate management mould Block 13 is just illustrated about the specific processing of (1) of Figure 11, (2), (4) and (5).
Figure 12 and Figure 13 is to show distributed objects to generate the generation of distributed objects server performed by management module 13 The flow chart of supervisory routine.
In step S101, distributed objects generation management module 13 determines whether there is desired point from any process The use of cloth object server is requested.S102 is entered step when having using request, is not waited in step S101 then.
In step S102, distributed objects generate management module 13 and receive making for the desired distributed objects server With request, obtain the pid using request initiation process (included in the pid for using request).
In step S103, distributed objects generate management module 13 and determine to possess the distributed objects server using request Whether in operation.S108 is entered step if being currently running, if not operation if enter step S104.
In step S104, distributed objects generate management module 13 and use the pid of acquisition to registration table redirector 11 It directly inquires, determines whether using request initiation process be supervision object.The process then enters step S105 when being supervision object, It is not that supervision object then enters step S106.
Registration table redirector 11 and distributed objects generate management module 13 and collectively reside in system realm.Therefore, Distributed objects generate management module 13 can not be by being present in the whole control module 20 of system realm, but to registration table Redirector 11 is directly inquired.
In step S105, distributed objects generate management module 13 and request to generate to whole control module 20 and start monitoring Object distribution formula object server 21.
If whole control module 20 receives the above-mentioned request from distributed objects generation management module 13, make in itself The supervision object distributed objects server generation module 20G that portion is possessed executes following processing.
That is, supervision object distributed objects generation module 20G, generates and starts the requested prison as oneself subprocess Depending on object distribution formula object server 21 (the step S89 of Figure 10).Then whole control module 20 is generated to distributed objects manages Pid (the step for the supervision object distributed objects server 21 that reason module 13 notice generates and starts as the subprocess of oneself S90)。
Then, it is right to generate supervision object distribution of the acquisition of management module 13 from whole control module 20 for distributed objects As the pid of server 21, S107 is entered step.
In step S106, distributed objects server generates management module 13 and is generated and starts, then generate and start The distributed objects server of non-supervision object as oneself subprocess, obtains the pid of the distributed objects server.
In step S107, distributed objects server 13 starts to manage distribution that is newly-generated and starting using the pid obtained Formula object server.
In step S108, distributed objects generate management module 13 and determine present running desired distributed objects Whether server is supervision object.So far, distributed objects, which generate management module 13 and obtain from whole control module 20, becomes prison Depending on the pid (step S105) of the distributed objects server of object, the distribution of non-supervision object then oneself is generated and started Object server obtains its pid (step S106).
Accordingly, distributed objects, which generate management module 13, can not redirect journey to whole control module 20 or registration table The inquiry pid of sequence 11, but the acquisition situation of the pid based on running distributed objects server, oneself determine the distribution Whether object server is supervision object.That is, distributed objects, which generate management module 13, has the function for keeping this to determine result Energy.Utilize the function, it is possible to determine that whether above-mentioned distributed objects server is supervision object.
Distributed objects generate management module 13 do not have keep now running distributed objects server whether be When the function of the judgement result of supervision object, the running desired distributed objects server oneself managed is identified Pid.It is directly inquired to registration table redirector 11 again, determines the running desired distributed objects service Whether device is supervision object.Then, if the running desired distributed objects server enters step when being supervision object Rapid S109 is not that supervision object then enters step S110.
In step S109, distributed objects are generated management module 13 and are initiated using the use request obtained in step s 102 The pid of process is directly inquired to registration table redirector 11, determine this using request initiation process whether be supervision object.It should S111 is entered step using when initiation process being requested to be supervision object, enters step S112 when not being supervision object.
In step S110, distributed objects generate management module 13, identical as step S109, determine that use request is initiated Whether process is supervision object.This initiates to enter step S112 when object is supervision object using request, when not being supervision object Enter step S111.
In step S111, become following state 1 or state 2.
(state 1) desired distributed objects server is supervision object (supervision object distributed objects server 21), further, this is also supervision object (supervision object consumer process 32) using request initiation process.At this point, using request hair Even if the supervision object consumer process 32 for the process of rising accesses desired supervision object distributed objects server 21, because its It is supervision object, is not in problem.
(state 2) desired distributed objects server is not supervision object, and further, this uses request initiation process It is also not supervision object.So this is common behavior, even if at this point, right using the desired distribution of request initiation process access It is not in problem because it is also not supervision object as server.
Herein, distributed objects generate management module 13 to request initiation process is used, and returning includes desired distribution The answer of formula object server access method.Then, step S101 is again returned to.
In addition, (negative of step S103 determines), step S104 when desired distributed objects server is not run It is performed to step S107, generates and starts desired distributed objects server.At this point, the use of request initiation process being prison If object, the distributed objects server of generation also becomes supervision object (supervision object distributed objects server 21). It on the other hand, is not the distribution for generating and starting if supervision object (if being common process) using request initiation process Object server is also not supervision object.
Therefore, use request correspondingly, according to step S104 to the processing of step S107 with use request initiation process, Newly-generated and when starting desired distributed objects server, step S108 and step S109 are all to determine certainly, Huo Zhebu Rapid S108 and step S110 is all that negative determines.It must be allowed for being asked by using as a result, distributed objects generate management module 13 It asks the use of the desired distributed objects server of initiation process to request, returns to the access comprising the distributed objects server The answer (step S111) of method.
In step S112, become following state 3 or state 4.
(state 3) is although desired distributed objects server is supervision object (supervision object distributed objects service Device 21), it the use of request initiation process is not supervision object.
(state 4) although desired distributed objects server is not supervision object, it uses request initiation process (supervision object consumer process 32) is supervision object.
When the desired distributed objects server opportunity of some process has been requested just from the use of other consumer process At operation the affirmative of step S103 (determine), and the processing of step S104 to step S107 is not performed, generating state 3 or The situation of person's state 4.That is, when the process of other users is not supervision object, the running desired distributed objects Server is also not supervision object.Therefore, if the use of request initiation process being once supervision object (supervision object consumer process 32), then generating state 4 the case where.
Under such circumstances, by using request initiation process to allow the access method of desired distributed objects server If, the monitoring loophole of the program behavior of one party can be generated.
Herein, in step S112, distributed objects generate management module 13 for using request initiation process, and return is refused The answer of desired distributed objects server is accessed absolutely.Then, step S101 is again returned to.
In addition, being temporarily ceased desired in being currently running for the answer of denied access shown in settlement steps to deal S112 Distributed objects server, later, it is necessary to whether use under the identical monitored state of request initiation process (be monitoring pair As) it is again started up the desired distributed objects server.Its reason is as described below.
Registration table redirector 11 and file system redirector 12, in supervision object distributed objects server In the presence of 21, the special protection behavior of process (refers to Fig. 6 to Fig. 9).Accordingly, if running desired distributed objects Server does not stop, but if becoming supervision object from non-supervision object, above-mentioned special protection behavior cannot be kept on one side Consistency maintains on one side.That is, becoming supervision object from non-supervision object, it is necessary to not have in desired distributed objects server It is executed when operation, needs to be implemented above-mentioned processing.
If in addition, running desired distributed objects server does not stop, and becoming non-prison from supervision object Depending on object, the file process executed by the desired distributed objects server probably causes problems.For example, monitoring If 21 new files of object distribution formula object server, this document is only configured to be pressed from both sides in off-limit file.But desired monitoring If object distribution formula object server 21 does not stop but becomes non-supervision object, the desired distributed objects service Device cannot access the new files in off-limit file folder.In order to avoid such problems, to desired distribution When the monitoring situation of object server changes, once terminate the desired distributed objects server, it has to when Desired distributed objects server after the change of monitoring situation restarts from initially.
[modification]
Up to the present explanation is to be only used as most processes with desired distributed objects server to generate simultaneously Premised on starting.Next, assuming that desired distributed objects server can be used as multiple processes and generate and start.Distribution Formula object generate management module 13 can to multiple distributed objects servers each monitoring situation (whether be monitoring pair As) individually managed, have and uses request from the desired distributed objects server for using request initiation process When, select distributed objects server present in monitoring situation identical with the use request initiation process.The request is sent out The process of rising returns to the answer comprising the distributed objects server access method.
But it is that one of the functional block as operating system is provided that distributed objects, which generate 13 script of management module,.This Place can directly determine institute's phase using request initiation process itself to minimally change the standard feature of operating system Whether the distributed objects server of prestige runs and its monitoring situation.In this case, distributed objects generate management module 13 only execute following routine.
Figure 14 is to show distributed objects to generate the 2nd distributed objects server generation pipe that management module 13 executes Manage the flow chart of routine.In addition, the step of executing same treatment with Figure 12 indicates the same symbol with Figure 12.
Herein, it as its premise, uses request initiation process: (a) inquiring whole control using the pid of oneself in its starting Molding block 20, understanding in advance oneself is supervision object;(b) desired distributed objects server is understood in advance as monitoring pair As (supervision object distributed objects server 21) whether operation (these can by use request initiation process injection The hook program of the function is realized to realize).
Common (non-supervision object) process generates management module 13 for distributed objects and requests desired distribution Object server in use, the pid of oneself in general will not be conveyed.It herein, the use of request initiation process oneself is being prison When depending on object (supervision object consumer process 32), management module transmission is generated to distributed objects and is asked comprising the use of oneself pid Seek notice.
In step S101, distributed objects generate management module 13 and determine whether there is from the institute for using request initiation process The use of desired distributed objects server is requested.S121 is entered step when having using request, when not using request, until Have using standby until requesting.
In step S121, whether distributed objects are generated management module 13 and determined in being notified using request comprising using request The pid of initiation process.S105 is entered step when comprising using the pid for requesting initiation process, is entered step when including the pid S106。
In step S105, distributed objects generate management module 13 and request to generate to whole control module 20 and start the institute Desired supervision object distributed objects server 21.Whole control module 20 is generating and is starting being somebody's turn to do as oneself subprocess After desired supervision object distributed objects server 21, management module 13 is generated to distributed objects and notifies its pid.
Then, distributed objects generate management module 13 and obtain the desired supervision object point from whole control module 20 The pid of cloth object server 21, enters step S107.
In step S106, distributed objects generate management module 13 and generate and start the non-monitoring pair as oneself subprocess The desired distributed objects server of elephant, obtains the pid of this distributed objects server.Then, it enters step S107。
In step S107, to the distributed objects server for generating and starting be managed (regardless of whether be monitoring pair As) it is also distributed object management module 13.
Therefore, in step s 107, distributed objects generate management module 13 using the pid obtained, directly start to new It generates and the desired distributed objects server started is managed.Then, S111 is entered step.
In step S111, it is desired comprising this to using request initiation process to return that distributed objects generate management module 13 Distributed objects server access method answer.Then, step S101 is again returned to.
As described above, the change that distributed objects generate management module 13 is defined in if the routine according to shown in Figure 14 Such as range of figure thick dashed line frame.
In the present embodiment, regardless of whether being supervision object, convenient for that can be taken with other user sharings, distributed objects Business device is generated and starts in public domain.
But due to secure context etc., the use of distributed objects server is assumed that when it is supervision object, It is limited to using request initiation process or is distributing to the personal user's Area generation possessed using request initiation process and opening Dynamic supervision object consumer process 32.At this moment, supervision object distributed objects server 21 can be asked generating and starting use It seeks personal user's Area generation of initiation process and starts.
At this moment, the processing of step S14 shown in Fig. 3 is after the affirmative of step S8 determines to (step S9 before step S10 Front and back) it is performed.Herein, further, the substitution of control module 20 as a whole, distributes to the supervision object user of the user Process generation module 31 can be generated and start supervision object distributed objects server 21.
In addition, the program behavior of the supervision object as supervision object process is not only limited to above-mentioned behavior, such as also can Communication between carry out process.That is, TCP/IP network communication etc. is also one of supervision object.
Such as operating system is generated and is referred to as WEP (Windows when is Windows (registered trademark) of Microsoft Foltering Platform) file driving, be allowed to system realm run.Accordingly, for being carried out by supervision object process TCP/IP network, may be implemented to be similar to using registration table redirector 11 to the monitoring of registry access behavior, control With the function of protection.
[embodiment in the 2nd]
Next, being illustrated about embodiment in the of the invention the 2nd.Here, part identical with the 1st implementation form And processing indicates that the repetitive description thereof will be omitted with same symbol.
In the 1st embodiment, distributed objects generate management module 13 and receive from supervision object consumer process 32 Desired distributed objects server use request when, the supervision object distributed objects server 21 including formulation It generates and starts, forward the request to whole control module 20.
In this regard, in the 2nd embodiment, distributed objects generate management module 13 receive from supervision object user into When the use request of the desired distributed objects server of journey 32, oneself generates and start the distributed objects server.
At this point, the generation of supervision object and all specified distributed objects servers and start to the distributed objects clothes Be engaged in until device practical monitored (as supervision object distributed objects server 21), the behavior of the distributed objects server after If continuous, the omission of generating routine behavior monitoring is probably understood.
Herein, in the 2nd embodiment, distributed objects generate management module 13 and oneself generate supervision object and all fingers When determining distributed objects server, temporarily cease the behavior of the distributed objects server.Then, distributed objects generate pipe It manages module 13 and the pid of the distributed objects server is notified into registration table redirector 11, confirmation, which obtains logging in, terminates response And the distributed objects server becomes supervision object (supervision object distributed objects server 21) and then secondary starts this The behavior of distributed objects server.
It is carried out together between management module 13 and registration table redirector 11 that is, distributed objects server generates When handle, to prevent the monitoring of the specified program behavior to distributed objects server from omitting.It specifically refers to, as shown in Figure 12 Distributed objects server generate the replacement of supervisory routine, the 3rd distributed objects server shown in figure 15 generates management Routine is performed.
Figure 15 is the flow chart for showing the 3rd distributed objects server and generating supervisory routine.In addition, step S101 is extremely S103 is identical as Figure 12.The negative of step S103 enters the step S131 of Figure 15 after determining.
In step S131, distributed objects generate the specified distributed objects server of management module 13 and do not run, from Oneself generates the distributed objects server, obtains the pid of the distributed objects server of the generation.It is distributed right in this step The processing usually executed is executed as generating management module 13.
In step S132, distributed objects generate management module 13 using the pid that obtains in step s101 to registration table Redirector 11 is directly inquired, and determines whether using request initiation process be supervision object.The process is supervision object When enter step S133, S135 is then entered step when not being.
In step S133, distributed objects generate management module 13 and notify in step S131 to registration table redirector The pid of the distributed objects server of acquisition.
In step S134, distributed objects generate management module 13 and determine whether there is the biography from registration table redirector The answer logged-in up to notified pid.S135 is entered step when having logged-in answer, no then waiting is until having back Until answering.
In step S135, distributed objects generate management module 13 and start the distributed objects service generated in step S131 Device starts the management of the distributed objects server.Then, into step S108 shown in Figure 13.In this step, distributed Object generates management module and executes the processing usually executed.
As described above, distributed objects, which generate management module 13, starts it after the generation of specified distributed objects server Before during, the pid of the distributed objects server is notified to registration table redirector 11, and make its login.Accordingly, as Beginning behavior, can omit before the distributed objects server of supervision object will not monitor again to avoid the monitoring of program behavior.
In addition, being also applied in request range within the scope of recorded item the present invention is not limited to above-mentioned embodiment The design alteration carried out.
For example, above-mentioned various forms, being made of hardware can also be with the program stored by storage medium is by mounted meter Mechanism is calculated at can also be with.
Description of symbols
1 program behavior monitoring system
11 registration table redirectors
12 file system redirectors
13 distributed objects generate management module
20 whole control modules
20G supervision object distributed objects server generation module
21 supervision object distributed objects servers
31 supervision object consumer process generation modules
32 supervision object consumer process
32P prints behavior monitoring module
32C clipbook behavior monitoring module.

Claims (12)

1. a kind of program behavior monitoring equipment characterized by comprising
Supervision object process manager module, by the supervision object process as the executing subject of program while as monitored object Identification information typing supervision object process inventory, and query entity have issued any process whether be supervision object inquiry When, inquire the supervision object process inventory with the identification information of any process, then by any process whether be The information of supervision object returns to the query entity;And
Receiving module is notified, when then generation distributed objects server possesses the identification information of the distributed objects server When distributed objects generation management equipment receives the use request of the distributed objects server from supervision object process, receive The specified notification of management equipment is generated from the distributed objects.
2. program behavior monitoring equipment according to claim 1, which is characterized in that
As the specified notification, the notice receiving module reception is intended to that the distributed objects is replaced to generate management equipment raw At the request notice for having the distributed objects server using request.
3. program behavior monitoring equipment according to claim 2, which is characterized in that further include:
Distributed objects server generation module, the request notice received based on the notice receiving module are generated State the subprocess using the distributed objects server of request as oneself;And
Notification module, by identification by the knowledge of distributed objects server generation module distributed objects server generated Other information notifies to generate management equipment to the distributed objects.
The distribution that the supervision object process manager module will be generated by the distributed objects server generation module Supervision object process inventory described in the identification information typing of object server.
4. program behavior monitoring equipment according to claim 3, which is characterized in that further include:
Identification information obtains module, when each new process is activated, obtains the identification information of the new process respectively and this is new The identification information of female process of process;
Identification information login module obtains each of module acquirement referring to by the identification information when each new process is activated Identification information will be described when the identification information of female process of the new process has been logged the supervision object process inventory Supervision object process inventory described in the identification information typing of new process.
5. program behavior monitoring equipment according to claim 1, which is characterized in that
The notice receiving module receives the distributed objects server generated by distributed objects generation management equipment Identification information is as the specified notification.
6. program behavior monitoring equipment according to claim 5, which is characterized in that
The supervision object process manager module is by the monitoring as described in the identification information typing that receives of notice receiving module Object process inventory.
7. a kind of distributed objects generate management equipment characterized by comprising
Using request receiving module, the use of the distributed objects server of the process from the executing subject as program is received Request;
Distributed objects server generation module, when by the asking using request received using request receiving module When the identification information of initiation process being asked not yet to be logged supervision object process inventory, generating has the distribution for using request right As server;And
Sending module is notified, when by the request initiation process using request received using request receiving module When identification information is not yet logged the supervision object process inventory, specified notification is sent to program behavior monitoring equipment.
8. distributed objects according to claim 7 generate management equipment, which is characterized in that
As the specified notification, the notice sending module transmission is intended to described program behavior monitoring equipment instead of the distribution Formula object server generation module, which generates, has the request of the distributed objects server using request to notify.
9. distributed objects according to claim 7 generate management equipment, which is characterized in that
When receiving the use request by the use request receiving module, the distributed objects generation module generation has All distributed objects servers using request,
As the specified notification, above-mentioned notice sending module it is described using request request initiation process identification information The knowledge according to the distributed objects server generated using request is sent when being logged the supervision object process inventory Other information.
10. a kind of storage medium, which is characterized in that be stored with the journey for functioning computer as following module Sequence:
Supervision object process manager module, by the supervision object process as the executing subject of program while as monitored object Identification information typing supervision object process inventory, and query entity have issued any process whether be supervision object inquiry When, inquire the supervision object process inventory with the identification information of any process, then by any process whether be The information of supervision object returns to the query entity;And
Receiving module is notified, when then generation distributed objects server possesses the identification information of the distributed objects server When distributed objects generation management equipment receives the use request of the distributed objects server from supervision object process, receive The specified notification of management equipment is generated from the distributed objects.
11. a kind of storage medium, which is characterized in that be stored with the journey for functioning computer as following module Sequence:
Using request receiving module, the use of the distributed objects server of the process from the executing subject as program is received Request;
Distributed objects server generation module, when have it is described using request receiving module receive it is described using request asking When the identification information of initiation process being asked not yet to be logged supervision object process inventory, generating has the distribution for using request right As server;And
Sending module is notified, when by the request initiation process using request received using request receiving module When identification information is not yet logged the supervision object process inventory, specified notification is sent to program behavior monitoring equipment.
12. a kind of program behavior monitoring system characterized by comprising
Program behavior monitoring equipment, comprising: supervision object process manager module will be used as simultaneously quilt as the executing subject of program The identification information typing supervision object process inventory of the supervision object process of supervision object, and query entity have issued arbitrarily into When whether journey is the inquiry of supervision object, the supervision object process inventory is inquired with the identification information of any process and is looked into It askes, whether is then that the information of supervision object returns to the query entity by any process;With notice receiving module, work as life The distributed objects for then possessing the identification information of the distributed objects server at distributed object server generate management and set When the standby use request for receiving the distributed objects server from supervision object process, receive raw from the distributed objects At the specified notification of management equipment;And
Distributed objects generate management equipment, comprising: use request receiving module, receive from the executing subject as program The use of the distributed objects server of process is requested;Distributed objects server generation module is connect when by described using request The identification information for receiving the use request initiation process using request that module receives not yet is logged supervision object process When inventory, generating has the distributed objects server using request;It delivers letters module with notice, is connect when by described using request The identification information for receiving the request initiation process using request that module receives not yet is logged the supervision object process When inventory, specified notification is sent to program behavior monitoring equipment.
CN201780067370.9A 2016-10-31 2017-02-28 Program behavior monitoring device, distributed object generation management device, storage medium, and program behavior monitoring system Active CN109923547B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2016212993A JP6104447B1 (en) 2016-10-31 2016-10-31 Program operation monitoring control device, distributed object generation management device, program, and program operation monitoring system
JP2016-212993 2016-10-31
PCT/JP2017/007900 WO2018078902A1 (en) 2016-10-31 2017-02-28 Program operation monitoring control device, distributed object generation and management device, recording medium, and program operation monitoring system

Publications (2)

Publication Number Publication Date
CN109923547A true CN109923547A (en) 2019-06-21
CN109923547B CN109923547B (en) 2023-07-07

Family

ID=59366064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780067370.9A Active CN109923547B (en) 2016-10-31 2017-02-28 Program behavior monitoring device, distributed object generation management device, storage medium, and program behavior monitoring system

Country Status (6)

Country Link
US (1) US10831885B2 (en)
EP (1) EP3340099B1 (en)
JP (1) JP6104447B1 (en)
CN (1) CN109923547B (en)
DK (1) DK3340099T3 (en)
WO (1) WO2018078902A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6866645B2 (en) 2017-01-05 2021-04-28 富士通株式会社 Similarity determination program, similarity determination method and information processing device
JP2018109910A (en) * 2017-01-05 2018-07-12 富士通株式会社 Similarity determination program, similarity determination method, and information processing apparatus
CN112328377B (en) * 2020-11-04 2022-04-19 北京字节跳动网络技术有限公司 Baseline monitoring method and device, readable medium and electronic equipment
US11882148B1 (en) * 2021-03-23 2024-01-23 Trend Micro Incorporated Automated mitigation of cyber threats using a semantic cybersecurity database
CN113127570B (en) * 2021-05-18 2022-11-04 上海莉莉丝科技股份有限公司 Data operation method, system, equipment and storage medium of distributed server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001134511A (en) * 1999-11-08 2001-05-18 Nec Corp System and method for network management and recording medium stored with program thereof
JP2009151827A (en) * 2009-04-06 2009-07-09 Nec Corp Data monitoring method, information processor, program, recording medium, and information processing system
US9148428B1 (en) * 2011-05-25 2015-09-29 Bromium, Inc. Seamless management of untrusted data using virtual machines
US20160057107A1 (en) * 2014-08-22 2016-02-25 Shape Security, Inc. Application programming interface wall

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6425017B1 (en) 1998-08-17 2002-07-23 Microsoft Corporation Queued method invocations on distributed component applications
US8429741B2 (en) * 2008-08-29 2013-04-23 Google, Inc. Altered token sandboxing
JP5423063B2 (en) 2009-03-05 2014-02-19 日本電気株式会社 Information processing apparatus, method, and program
US8627451B2 (en) * 2009-08-21 2014-01-07 Red Hat, Inc. Systems and methods for providing an isolated execution environment for accessing untrusted content
WO2011114655A1 (en) * 2010-03-16 2011-09-22 パナソニック株式会社 Information processing device, virtual machine generation method, and application software distribution system
JP5852103B2 (en) * 2011-04-27 2016-02-03 パナソニック インテレクチュアル プロパティ コーポレーション オブアメリカPanasonic Intellectual Property Corporation of America Virtual computer system, virtual computer control method, virtual computer control program, and semiconductor integrated circuit
US9081959B2 (en) * 2011-12-02 2015-07-14 Invincea, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
JP5411966B2 (en) * 2012-07-10 2014-02-12 日本電信電話株式会社 Monitoring device and monitoring method
US9330259B2 (en) 2013-03-19 2016-05-03 Trusteer, Ltd. Malware discovery method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001134511A (en) * 1999-11-08 2001-05-18 Nec Corp System and method for network management and recording medium stored with program thereof
JP2009151827A (en) * 2009-04-06 2009-07-09 Nec Corp Data monitoring method, information processor, program, recording medium, and information processing system
US9148428B1 (en) * 2011-05-25 2015-09-29 Bromium, Inc. Seamless management of untrusted data using virtual machines
US20160057107A1 (en) * 2014-08-22 2016-02-25 Shape Security, Inc. Application programming interface wall

Also Published As

Publication number Publication date
US10831885B2 (en) 2020-11-10
US20180300474A1 (en) 2018-10-18
CN109923547B (en) 2023-07-07
DK3340099T3 (en) 2023-02-20
JP6104447B1 (en) 2017-03-29
JP2018073166A (en) 2018-05-10
EP3340099A1 (en) 2018-06-27
EP3340099A4 (en) 2018-06-27
WO2018078902A1 (en) 2018-05-03
EP3340099B1 (en) 2022-12-07

Similar Documents

Publication Publication Date Title
CN109923547A (en) Program behavior monitoring equipment, distributed objects generate management equipment, storage medium and program behavior monitoring system
JP4441249B2 (en) Apparatus for using context property metadata in a network computing environment
US10848520B2 (en) Managing access to resources
US10375054B2 (en) Securing user-accessed applications in a distributed computing environment
US7562115B2 (en) Method and apparatus for connecting a secure peer-to-peer collaboration system to an external system
US8024361B2 (en) Method and system for allowing multiple users to access and unlock shared electronic documents in a computer system
US20070162417A1 (en) System and method for selective access to restricted electronic documents
US6189032B1 (en) Client-server system for controlling access rights to certain services by a user of a client terminal
US20140164315A1 (en) System And Method For The Creation Of, Automatic Synchronization Of, And Access To Multi-Cloud Documents That Reside Across Dissimilar Clouds, Devices, And Operating Systems And That Are Accessed By Multiple Dissimilar Applications
US9391779B2 (en) Reactive biometric single sign-on utility
US7620737B2 (en) Methods, apparatus, and program products for abstract applications/components in a ubiquitous computing environment
US7890535B2 (en) Management of processes based on reference information
TW200811685A (en) System and method for tracking the security enforcement in a grid system
AU2006284414A1 (en) Security in peer to peer synchronization applications
CN105122263A (en) Orchestrated interaction in access control evaluation
JP2005503596A5 (en)
AU2005292568A1 (en) A method and apparatus for assigning access control levels in providing access to networked content files
US20220222360A1 (en) Chatbot control device and chatbot control method
JP4122042B1 (en) Access authority control system
AU2003293360A1 (en) System and method for managing resource sharing between computer nodes of a network
CN110210191A (en) A kind of data processing method and relevant apparatus
CN107766707B (en) Method and apparatus for responding to user request in application container engine
JP2009080561A (en) External device management system
JP4191239B2 (en) Access authority control system
KR20050055240A (en) Integrated management system for matadata and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant